Repository: cxf-fediz Updated Branches: refs/heads/master e75f25ea3 -> 69034b82c
Support a drop down list to choose a home realm IdP for SAML SSO Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/69034b82 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/69034b82 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/69034b82 Branch: refs/heads/master Commit: 69034b82c05be6cd16dfdbbef3bed5be564dd762 Parents: e75f25e Author: Colm O hEigeartaigh <[email protected]> Authored: Thu Oct 27 17:11:12 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Thu Oct 27 17:11:12 2016 +0100 ---------------------------------------------------------------------- .../WEB-INF/flows/federation-signin-request.xml | 14 ++-- .../WEB-INF/flows/saml-signin-request.xml | 84 +++++++++++++++++++- .../WEB-INF/flows/saml-validate-request.xml | 14 ++++ .../apache/cxf/fediz/systests/idp/IdpTest.java | 33 ++++++++ .../test/resources/realma/entities-realma.xml | 7 ++ 5 files changed, 142 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/69034b82/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml index 5137047..7494366 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml @@ -31,15 +31,6 @@ <input name="wauth" /> <input name="whr" /> - <decision-state id="checkHRDSEnabled"> - <if test="true" then="processHRDSExpression" else="checkDefaultToThisIDP" /> - </decision-state> - - <decision-state id="checkDefaultToThisIDP"> - <if test="flowScope.idpConfig.isUseCurrentIdp()" then="checkWauthTypeSupported" - else="viewBadRequest" /> - </decision-state> - <decision-state id="processHRDSExpression"> <on-entry> <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, flowScope.whr)" @@ -55,6 +46,11 @@ <if test="flowScope.idpConfig.isProvideIdpList() == false" then="checkDefaultToThisIDP" else="showIDPList" /> </decision-state> + + <decision-state id="checkDefaultToThisIDP"> + <if test="flowScope.idpConfig.isUseCurrentIdp()" then="checkWauthTypeSupported" + else="viewBadRequest" /> + </decision-state> <view-state id="showIDPList" view="idplist" model="trustedIDPSelection"> <var name="trustedIDPSelection" http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/69034b82/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml index 70f7452..a166e5d 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml @@ -28,7 +28,80 @@ <input name="RelayState" /> <input name="Signature" /> - <decision-state id="signInEntryPoint"> + <decision-state id="processHRDSExpression"> + <on-entry> + <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, null)" + result="flowScope.homerealm" /> + </on-entry> + <if test="flowScope.homerealm == null or flowScope.homerealm.trim().isEmpty()" + then="provideIDPListForUser" else="checkIsThisIDP" /> + </decision-state> + + <decision-state id="provideIDPListForUser"> + <if test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()" + then="checkDefaultToThisIDP" /> + <if test="flowScope.idpConfig.isProvideIdpList() == false" + then="checkDefaultToThisIDP" else="showIDPList" /> + </decision-state> + + <decision-state id="checkDefaultToThisIDP"> + <if test="flowScope.idpConfig.isUseCurrentIdp()" then="homeRealmSignInEntryPoint" + else="viewBadRequest" /> + </decision-state> + + <view-state id="showIDPList" view="idplist" model="trustedIDPSelection"> + <var name="trustedIDPSelection" + class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" /> + <binder> + <binding property="whr" required="true" /> + </binder> + <on-entry> + <set name="requestScope.idPConfig" value="flowScope.idpConfig" /> + </on-entry> + <transition on="submit" to="checkIsThisIDP" bind="true" + validate="true"> + <set name="flowScope.homerealm" value="trustedIDPSelection.whr" /> + <evaluate + expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.homerealm)" /> + </transition> + <transition on="cancel" to="checkDefaultToThisIDP" + bind="false" validate="false" /> + </view-state> + + <!-- Home Realm is known then we can store it in cookie --> + <decision-state id="checkIsThisIDP"> + <if test="flowScope.idpConfig.realm.equals(flowScope.homerealm)" + then="homeRealmSignInEntryPoint" else="checkIdpTokenWhrWauth" /> + </decision-state> + + <!-- ============================================================================================================= --> + + <!-- Is 'wresult/RP-IDP token' already received and validated (then stored + in session) from requestor IDP ? --> + <decision-state id="checkIdpTokenWhrWauth"> + <if test="externalContext.sessionMap[flowScope.homerealm] != null" + then="wfreshParserRemoteAction" else="redirectToTrustedIDP" /> + </decision-state> + + <action-state id="wfreshParserRemoteAction"> + <evaluate + expression="idpTokenExpiredAction.isTokenExpired(flowScope.homerealm, flowRequestContext)" /> + <transition on="yes" to="redirectToTrustedIDP" /> + <transition on="no" to="validateWReply" > + <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.homerealm]" /> + </transition> + <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> + </action-state> + + <action-state id="validateWReply"> + <evaluate expression="passiveRequestorValidator.isValid(flowRequestContext, flowScope.consumerURL, flowScope.realm)"/> + <transition on="yes" to="requestRpToken" /> + <transition on="no" to="viewBadRequest" /> + </action-state> + + <!-- ============================================================================================================= --> + + <decision-state id="homeRealmSignInEntryPoint"> <on-entry> <!-- Here, home realm is guaranteed to be THIS realm --> <set name="flowScope.homerealm" value="flowScope.idpConfig.realm" /> @@ -110,5 +183,14 @@ <!-- abnormal exit point --> <end-state id="scInternalServerError" /> + + <!-- redirects to requestor idp --> + <end-state id="redirectToTrustedIDP"> + <on-entry> + <evaluate expression="signinParametersCacheAction.store(flowRequestContext)" /> + </on-entry> + <output name="homerealm" value="flowScope.homerealm" /> + <output name="trusted_idp_context" value="flowScope.trusted_idp_context" /> + </end-state> </flow> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/69034b82/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml index 6808554..872c7d0 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml @@ -57,6 +57,10 @@ </transition> <transition on="scInternalServerError" to="scInternalServerError" /> <transition on="redirectToLocalIDP" to="redirectToLocalIDP" /> + <transition on="redirectToTrustedIDP" to="processTrustedIdpProtocol"> + <set name="flowScope.homerealm" value="currentEvent.attributes.homerealm" /> + <set name="flowScope.trusted_idp_context" value="currentEvent.attributes.trusted_idp_context"/> + </transition> </subflow-state> <!-- produce RP security token (as String type) --> @@ -97,6 +101,13 @@ <evaluate expression="flowScope.rpResponse" result="requestScope.samlResponse" /> </on-entry> </end-state> + + <action-state id="processTrustedIdpProtocol"> + <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext, flowScope.homerealm)" + result="flowScope.remoteIdpUrl"/> + <transition to="redirectToTrustedIDP" /> + <transition on-exception="java.lang.Throwable" to="scInternalServerError" /> + </action-state> <!-- abnormal exit point --> <decision-state id="handleBadRequestError"> @@ -151,5 +162,8 @@ result="flowScope.localIdpUrl"/> </on-entry> </end-state> + + <!-- redirect to remote idp --> + <end-state id="redirectToTrustedIDP" view="externalRedirect:${flowScope.remoteIdpUrl}" /> </flow> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/69034b82/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java ---------------------------------------------------------------------- diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java index 86e9628..c7d407b 100644 --- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java +++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java @@ -190,7 +190,40 @@ public class IdpTest { // // Successful tests // + /* + @org.junit.Test + public void testBrowser() throws Exception { + OpenSAMLUtil.initSamlEngine(); + + // Create SAML AuthnRequest + Document doc = DOMUtils.createDocument(); + doc.appendChild(doc.createElement("root")); + // Create the AuthnRequest + String consumerURL = "https://localhost:"; + getRpHttpsPort() + "/" + + getServletContextName() + "/secure/fedservlet"; + AuthnRequest authnRequest = + new DefaultAuthnRequestBuilder().createAuthnRequest( + null, "urn:org:apache:cxf:fediz:fedizhelloworld", consumerURL + ); + authnRequest.setDestination("https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml"); + signAuthnRequest(authnRequest); + + Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc); + String authnRequestEncoded = encodeAuthnRequest(authnRequestElement); + + String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8"); + + String relayState = UUID.randomUUID().toString(); + String url = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml?"; + url += SSOConstants.RELAY_STATE + "=" + relayState; + url += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest; + + System.out.println("URL: " + url); + + Thread.sleep(60 * 1000); + } + */ @org.junit.Test public void testSuccessfulInvokeOnIdP() throws Exception { OpenSAMLUtil.initSamlEngine(); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/69034b82/systests/samlsso/src/test/resources/realma/entities-realma.xml ---------------------------------------------------------------------- diff --git a/systests/samlsso/src/test/resources/realma/entities-realma.xml b/systests/samlsso/src/test/resources/realma/entities-realma.xml index 9f3b9d1..0e6a139 100644 --- a/systests/samlsso/src/test/resources/realma/entities-realma.xml +++ b/systests/samlsso/src/test/resources/realma/entities-realma.xml @@ -119,6 +119,13 @@ <ref bean="srv-fedizhelloworld" /> </util:list> </property> + <!-- + <property name="trustedIdps"> + <util:list> + <ref bean="trusted-idp-realmB" /> + </util:list> + </property> + --> <property name="claimTypesOffered"> <util:list> <ref bean="claim_role" />
